| AppSense Management Suite first touches |
|
|
| Written by Richard Thompson, Friday, 17 November 2006 | |
|
Recently my organization purchased the much spoken about AppSense Management Suite with the hopes that this will allow us not only to control what applications run on our servers but who can access them and with the hopes that the software can help up squeeze a few more users on to each of our servers. The AppSense Management Suite consists of the following core components: AppSense Performance Manager AppSense Application Manager And AppSense Environment Manager This document is a product review, I will release a detailed how to shortly.
Please note that the contents of this document are entirely my own opinion basically introducing the software to you and what it can do. I would recommend before making a decision on whether or not to use the software you should arrange a product demonstration. Initial impressions of AppSense are that it is a very complex and very unfriendly looking application but after some playing around within the console familiarizing myself with the management consoles and learning where and how to configure the options it becomes quite a friendly easy to use console. AppSense as an entire management suite is extremely powerful in that you can set controls that only applications specified by the administrator can be launched. You will probably say easy, I can copy my pinball.exe file from my home workstation only a USB memory key, rename it to notepad.exe and play pinball from work. Yeah in many instances where people have merely used a GPO to limit what can run this will work, however AppSense saw this and implemented a control that you can import the application signatures into the database after which renaming the application wont get around the problem. AppSense Performance Manager AppSense Performance Manager is probably the easiest of all the components to implement. The name says it all, this component manages the performance aspect of your server. You can set rules that will decrease memory usage when sessions are in certain states, eg idle, disconnected, minimized, etc as well as hard and soft limits. By this I mean you can apply a limit to a users session saying he/she is allowed 100mb memory and that’s it. As soon as they reach the warning level they will receive a warning and when they exceed the limit another message informing them that they need to close applications in order to continue working. AppSense Performance Managers focus on 3 main components, Bandwidth management, CPU Management and Memory Management. Bandwidth management as the name suggests allows you to manage the bandwidth used by a user or server on a daily basis. You can set thresholds and quotas which allow users certain bandwidth until they reach a certain quota following which you can either block their access or slow their speed right down. All the warning messages shown on the clients connection are customizable allowing you to make your own error messages informing them to contact the helpdesk, etc. CPU Management includes AppSense’s trademark Thread Throttling component. Basically what their thread throttling does is allow the system to use as much CPU as it likes until a configurable threshold is reached. The system then throttles itself to a lower percentage for a configurable amount of time after which it releases the throttle. If the CPU shoots back up the CPU will again be throttle. This process continues until eventually the process does die down. CPU Management by default enables 3 share factor levels. Namely System with a share factor of 3, Administrators with a share factor of 3 and Users with a Share Factor of 2. Here is a real world example of how to work this all out. Our MetaFrame server is currently running with 12 users, 1 administrator and the system account all connected. The possible CPU Allocation is 100%. Users Share Factor Max CPU 12 Users 24 6.66% Per User 1 Administrator 3 10% Per Administrator System 3 10% System Server 30 100% If 1 user were to log off the following change would occur, Users Share Factor Max CPU 11 Users 22 7.14% Per User 1 Administrator 3 10.7% Per Administrator System 3 10.7% System Server 28 100% Basically what the tables are trying to illustrate is how AppSense will allocate the CPU assuming the CPU is sitting maxed out. This is also only done to ensure that in the event of a system problem the administrator will be able to log on and have an acceptable level of processing power. Memory Management allows you not only to specify the amount of physical or virtual memory each session may use but also when AppSense should reduce the memory usage and also how often AppSense should optimize you memory. The way in which AppSense optimizes your memory is fairly interesting. On each server which has the Performance Management Agent installed there will be a hidden AppSenseCache directory. AppSense then analyzes your system and determines which applications are running more than once and are having multiple copies of a DLL opened and copies these DLL files to this directory. In the process it also renames the DLL to DLL.RELOC and all future instances are launched with the relocated DLL file to optimize performance. You can set the frequency with which this is done, by default every 60 minutes with an optimization occurring immediately afterwards. Due to the nature of a Citrix and Terminal Server environment this is not entirely necessary as your environment will not change all that much. So after the initial testing and first few weeks live you can modify this to optimize in the evening when less workers are using your servers. The next component, Application Manager is used to control who is able to access what. AppSense ships with a template which will block a wide range of executables including regedit, pinball, format, and several others. Application manager features what is known as ownership checking. So when a server is built by an administrator, all applications installed by him are installed with either the Administrators group or the Administrator being granted ownership of the files. Which will make them all accessible. Any executables installed by a user or brought into the organization on CD or USB key will not by default be owned by the administrator and as a result of this will not be executable. Good work? I think so, the problem however comes in when applications are on the run from the network. By default Application Manager stops applications from running from network locations unless you specifically allow these to be run. We ran into this pretty early on in our AppSense roll out because we managed to lock our test user completely out of the system. How our organization works is a lot of executables are stored on network shares and shortcuts to the executables places in the start menu. When the user launched the start menu none of the applications would work. The resolution was to create a group rule to allow the everyone group permission to launch executables from the specified folders. As mentioned earlier you also have the ability to import application signatures to stop the problem of renaming a file to a recognized name and launching it. This is great for security purposes especially if your applications are not recompiled often. Application manager is fairly simple to work through. The simplest way to implement this is to the template from AppSense and if something doesn’t work open it up. All errors are again customizable so your helpdesk can identify exactly what executable you need to open. This leaves Environment Manager. Environment manager opens a whole new can of worms in that it can do so much. The biggest problem is most of us already have redirected start menu’s which give a user only what they need, and group policies which control all the registry keys we need added and removed, and logon scripts which set our network drives etc. And lets face it, most of us spent hours developing our GPO’s and how many of us want to change them? Ok don’t get me wrong, I am not saying if you use AppSense you shouldn’t use Group Policy objects or vice versa. I believe they should be used together I just think that there are somethings which AppSense can do better than a GPO. At first glance you will think you are looking at a glorified GPO because it is broken down into 2 main sections, Computer and User. Computer settings include Startup, Shutdown and Self Healing. I am going to start by just mentioning the things which are customizable and then how you can customize them. Startup allows you to do the following things,
So as you can see it is a fairly comprehensive list. I’m not going to go through all the users actions but what I will say is all of the computer actions are there as well as printer actions and a few others. The power of environment manager extends further as it not only allows you to apply these rules based on group membership, username or ou membership like in a GPO but it now allows you to apply rules by click IP Address, Screen resolution, Server name and even by Mac address or application name. Another awesome feature of Environment manager is the AppSense aim and shoot feature. What this feature allows you to do is launch an application, launch the Lockdown wizard and point a cursor at a control you want removed and AppSense will either hide the field where possible or grey it out so you cannot access it. This is great when you have an application which doesn’t terminate correctly if the users clicks the X and you want to force them to use File > Exit or when you want to lock users to a specific web page. AppSense also offers pretty thorough Auditing and you can configure which actions you want to be notified of using the Auditing Console. Deployment of new agents is equally easy, you simply add the computername, right click and select install deployment agent. It rolls out the deployment agent and then any rules which should be applied to the client. All in all my experience will AppSense today has been pleasant albeit very limited. Everything I have wanted to do I have been able to do. A word of warning though, if you are looking at implementing a solution similar to AppSense sit down and think about what you want prior to arranging for AppSense to demo the product for you so you can ask the right questions straight off the cuff. For me if a company can afford to buy the software and are willing to spend that sort of money on a similar solution AppSense is fair. |
| < Prev | Next > |
|---|
|